Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| | | | | | | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 (1) | 10 (1) | 11 (3) | 12 (3) | 13 (2) | 14 | 15 |
| 16 (2) | 17 (4) | 18 (2) | 19 (1) | 20 (1) | 21 (2) | 22 |
| 23 | 24 | 25 | 26 | 27 (1) | 28 (2) | 29 |
| 30 | 31 | | | | | |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-28 21:18:19 |
Hello, You have a valid argument. I would have suggested to quotes all "%s" arguments of commands, and solve this properly once and for all. Alon. On 3/28/08, Josh Cepek <jos...@us...> wrote: > Under Windows, when run_up_down() from misc.c executes the --up script, > the position of the parameters depends on the device name of the tun/tap > adapter. For example, a default installation creates a device that may > be called "Local Area Connection 2" (number varies), but this device > name isn't quoted when passed to the --up program. This makes > determining the actual name (or any other parameters for that matter) > nearly impossible. > > I've attached a patch that quotes the device argument in the > run_up_down() function insuring it is always the first argument to the > --up script no matter how many spaces appear in the device name. > > -- > > Josh > > > diff -Naur openvpn-2.1_rc7/misc.c openvpn-2.1_rc7_new/misc.c > --- openvpn-2.1_rc7/misc.c 2008-01-23 21:08:41.000000000 +0000 > +++ openvpn-2.1_rc7_new/misc.c 2008-03-28 20:34:15.000000000 +0000 > @@ -206,7 +206,7 @@ > ASSERT (arg); > > buf_printf (&cmd, > - "%s %d %d %s %s %s", > + "\"%s\" %d %d %s %s %s", > arg, > tun_mtu, link_mtu, > ifconfig_local, ifconfig_remote, > @@ -225,7 +225,7 @@ > setenv_str (es, "script_type", script_type); > > buf_printf (&cmd, > - "%s %s %d %d %s %s %s", > + "%s \"%s\" %d %d %s %s %s", > command, > arg, > tun_mtu, link_mtu, > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > > |
| From: Josh C. <jos...@us...> - 2008-03-28 21:10:08 |
Under Windows, when run_up_down() from misc.c executes the --up script, the position of the parameters depends on the device name of the tun/tap adapter. For example, a default installation creates a device that may be called "Local Area Connection 2" (number varies), but this device name isn't quoted when passed to the --up program. This makes determining the actual name (or any other parameters for that matter) nearly impossible. I've attached a patch that quotes the device argument in the run_up_down() function insuring it is always the first argument to the --up script no matter how many spaces appear in the device name. -- Josh |
| From: Rasmus R. <ro...@du...> - 2008-03-27 15:20:52 |
In the tap-win32 driver a check in AdapterTransmit(..) prevents multicast packets from ever reaching user space. More specifically it is the following check: // Only accept directed packets, // not broadcasts. if (memcmp (e, &l_Adapter->m_TapToUser, ETHERNET_HEADER_SIZE)) goto no_queue; Judging from the comment the check is put in to discard broadcast traffic, but it will also trigger on multicast traffic. Would it be reasonable to change this to do a more direct check for broadcast traffic or add an exception when multicast traffic is detected? |
| From: Giancarlo R. <lin...@on...> - 2008-03-21 02:09:24 |
Marcus geepunkt escreveu: > I'm sorry, i just forgot a "-" between "remote" and "random". Now it > seems to choose another server after a connection-breakdown, but well, > the tun/tap-interface doesn't set the correct default gateway on the > new connection. I'll do a little more research on this on the net. > > Greetz, > Marcus > > --- > Fri Mar 21 01:50:57 2008 us=437000 TEST ROUTES: 0/0 succeeded len=0 > ret=0 a=0 u/d=down > Fri Mar 21 01:50:57 2008 us=437000 Route: Waiting for TUN/TAP > interface to come up... > Fri Mar 21 01:50:58 2008 us=609000 TEST ROUTES: 0/0 succeeded len=0 > ret=0 a=0 u/d=down > Fri Mar 21 01:50:58 2008 us=609000 Route: Waiting for TUN/TAP > interface to come up... > Fri Mar 21 01:50:59 2008 us=781000 TEST ROUTES: 0/0 succeeded len=0 > ret=0 a=0 u/d=down > Fri Mar 21 01:50:59 2008 us=781000 Route: Waiting for TUN/TAP > interface to come up... > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > Why do people always think it is a bug, when it is not? There is some reward for finding bugs in software? I don't think so. Please, next time post it on openvpn-users. If they think it is a program bug, they will send you here. Sorry for the aggressive answer, but i do sign lists of other softwares too, and i'm tired of seeing people report bugs that doesn't exist. I think that the ego of people is sooooo big that they don't think they misconfigured the software, and think the software has a bug. It's a shame. Sorry, but couldn't resist, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informática 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 |
| From: Marcus g. <ade...@go...> - 2008-03-21 00:56:17 |
I'm sorry, i just forgot a "-" between "remote" and "random". Now it seems to choose another server after a connection-breakdown, but well, the tun/tap-interface doesn't set the correct default gateway on the new connection. I'll do a little more research on this on the net. Greetz, Marcus --- Fri Mar 21 01:50:57 2008 us=437000 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down Fri Mar 21 01:50:57 2008 us=437000 Route: Waiting for TUN/TAP interface to come up... Fri Mar 21 01:50:58 2008 us=609000 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down Fri Mar 21 01:50:58 2008 us=609000 Route: Waiting for TUN/TAP interface to come up... Fri Mar 21 01:50:59 2008 us=781000 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down Fri Mar 21 01:50:59 2008 us=781000 Route: Waiting for TUN/TAP interface to come up... |
| From: Marcus <ade...@go...> - 2008-03-20 14:50:48 |
Hi Folks, I just did a failover-test according to the howto. Two server (1+2) resolved via dns. the server pushes the following: push "redirect-gateway def1" push "dhcp-option DOMAIN uni-tuebingen.de" push "dhcp-option DNS 134.2.200.1" push "dhcp-option DNS 134.2.200.2" This works great. Scenario was as follows: Client is connected to and does everything via Server 1. Now Server 1 crashes due to hardware-error or whatever. (I simulated that by killing the ovpn-daemon with SIGTERM). After some time the client recognizes that and tries it's rescue-programm. It however fails to resolve other servers from its conf, since the routing is still in effect (at least thats what I suppose.) Here the whole failover-concept is screwed in my opinion. (Maybe I just misconfigured it?) Here the client and server-config: local openvpn1or2.ourdomain.de port 1194 proto udp dev tun # Use the whole subnet (coz IPv4-Adresses are getting rare) ## (experimental?) topology subnet # PAM for authentication plugin /lib/security/openvpn-auth-pam.so openvpn # Change to config-Dir cd /etc/openvpn # Key-Stuff ca ssl/ca.crt cert ssl/server.crt key ssl/server.key dh ssl/dh1024.pem mode server server 13.12.221.0 255.255.255.0 client-cert-not-required username-as-common-name tls-server tls-auth ssl/ta.key 0 up /etc/openvpn/server-up.sh down /etc/openvpn/server-down.sh client-connect /etc/openvpn/client-connect.sh client-disconnect /etc/openvpn/client-disconnect.sh push "redirect-gateway def1" push "dhcp-option DOMAIN ourdomain.de" push "dhcp-option DNS 13.12.222.1" push "dhcp-option DNS 13.12.222.2" client-to-client duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn/openvpn-status.log 1 log-append /var/log/openvpn/openvpn.log verb 3 # drop privs user openvpn group openvpn mute 4 ----- so far for the server config Here comes the client config: client dev tun proto udp remote openvpn1.ourdomain.de 1194 remote openvpn2.ourdomain.de 1194 remote random route-method exe route-delay 2 resolv-retry infinite nobind persist-key persist-tun auth-user-pass ca ca.crt tls-auth ta.key 1 verb 3 Here is the client-log of the failover test: Thu Mar 20 14:34:42 2008 OpenVPN 2.1_rc7 Win32-MinGW [SSL] [LZO2] [PKCS11] built on Jan 29 2008 [ ... ] Thu Mar 20 14:56:50 2008 [openvpn1.ourdomain.de] Inactivity timeout (--ping-restart), restarting Thu Mar 20 14:56:50 2008 TCP/UDP: Closing socket Thu Mar 20 14:56:50 2008 SIGUSR1[soft,ping-restart] received, process restarting Thu Mar 20 14:56:50 2008 Restart pause, 2 second(s) Thu Mar 20 14:56:52 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 20 14:56:52 2008 Re-using SSL/TLS context Thu Mar 20 14:56:52 2008 LZO compression initialized Thu Mar 20 14:56:52 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Mar 20 14:57:07 2008 RESOLVE: Cannot resolve host address: openvpn1.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:57:07 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 20 14:57:07 2008 Local Options hash (VER=V4): '504e774e' Thu Mar 20 14:57:07 2008 Expected Remote Options hash (VER=V4): '14168603' Thu Mar 20 14:57:22 2008 RESOLVE: Cannot resolve host address: openvpn1.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:57:22 2008 TCP/UDP: Closing socket Thu Mar 20 14:57:22 2008 SIGUSR1[soft,init_instance] received, process restarting Thu Mar 20 14:57:22 2008 Restart pause, 2 second(s) Thu Mar 20 14:57:24 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 20 14:57:24 2008 Re-using SSL/TLS context Thu Mar 20 14:57:24 2008 LZO compression initialized Thu Mar 20 14:57:24 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Mar 20 14:57:39 2008 RESOLVE: Cannot resolve host address: openvpn2.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:57:39 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 20 14:57:39 2008 Local Options hash (VER=V4): '504e774e' Thu Mar 20 14:57:39 2008 Expected Remote Options hash (VER=V4): '14168603' Thu Mar 20 14:57:54 2008 RESOLVE: Cannot resolve host address: openvpn2.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:57:54 2008 TCP/UDP: Closing socket Thu Mar 20 14:57:54 2008 SIGUSR1[soft,init_instance] received, process restarting Thu Mar 20 14:57:54 2008 Restart pause, 2 second(s) Thu Mar 20 14:57:56 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 20 14:57:56 2008 Re-using SSL/TLS context Thu Mar 20 14:57:56 2008 LZO compression initialized Thu Mar 20 14:57:56 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Mar 20 14:58:13 2008 RESOLVE: Cannot resolve host address: random: [HOST_NOT_FOUND] The specified host is unknown. Thu Mar 20 14:58:13 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 20 14:58:13 2008 Local Options hash (VER=V4): '504e774e' Thu Mar 20 14:58:13 2008 Expected Remote Options hash (VER=V4): '14168603' Thu Mar 20 14:58:30 2008 RESOLVE: Cannot resolve host address: random: [HOST_NOT_FOUND] The specified host is unknown. Thu Mar 20 14:58:30 2008 TCP/UDP: Closing socket Thu Mar 20 14:58:30 2008 SIGUSR1[soft,init_instance] received, process restarting Thu Mar 20 14:58:30 2008 Restart pause, 2 second(s) Thu Mar 20 14:58:32 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 20 14:58:32 2008 Re-using SSL/TLS context Thu Mar 20 14:58:32 2008 LZO compression initialized Thu Mar 20 14:58:32 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Mar 20 14:58:47 2008 RESOLVE: Cannot resolve host address: openvpn1.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:58:47 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 20 14:58:47 2008 Local Options hash (VER=V4): '504e774e' Thu Mar 20 14:58:47 2008 Expected Remote Options hash (VER=V4): '14168603' Thu Mar 20 14:59:02 2008 RESOLVE: Cannot resolve host address: openvpn1.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:59:02 2008 TCP/UDP: Closing socket Thu Mar 20 14:59:02 2008 SIGUSR1[soft,init_instance] received, process restarting Thu Mar 20 14:59:02 2008 Restart pause, 2 second(s) Thu Mar 20 14:59:04 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Mar 20 14:59:04 2008 Re-using SSL/TLS context Thu Mar 20 14:59:04 2008 LZO compression initialized Thu Mar 20 14:59:04 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu Mar 20 14:59:19 2008 RESOLVE: Cannot resolve host address: openvpn2.ourdomain.de: [NO_DATA] The requested name is valid but does not have an IP address. Thu Mar 20 14:59:19 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 20 14:59:19 2008 Local Options hash (VER=V4): '504e774e' Thu Mar 20 14:59:19 2008 Expected Remote Options hash (VER=V4): '14168603' # Here I killed the connection manually # Thu Mar 20 14:59:34 2008 RESOLVE: signal received during DNS resolution attempt Thu Mar 20 14:59:34 2008 TCP/UDP: Closing socket Thu Mar 20 14:59:34 2008 route DELETE 19.17.63.67 MASK 255.255.255.255 a.b.c.d Thu Mar 20 14:59:34 2008 route DELETE 0.0.0.0 MASK 128.0.0.0 13.22.227.1 Thu Mar 20 14:59:35 2008 route DELETE 128.0.0.0 MASK 128.0.0.0 13.22.227.1 Thu Mar 20 14:59:35 2008 Closing TUN/TAP interface Thu Mar 20 14:59:35 2008 SIGTERM[hard,init_instance] received, process exiting Greetz, Marcus |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-19 06:36:40 |
Hi! On 3/19/08, Peter Koch <pk...@op...> wrote: > We only use smartcard readers with secure pin entry. Nice! You are the first one to confirm that protected authentication actually works! I never had the hardware to test it out. > Where can I find more information about the management interface? > I agree - it shoud be very easy to let OpenVPN automatically know > which certificate to use. You can review the protocol at [1]. A simple sample I wrote in perl at [2]. I believe it should be very simple to convert [2] into none interactive script for Windows. This script can be installed as service using servany utility [3] from the resource kit, or use [4]. You can also use Windows Task Scheduler to do the work. Alon. [1] http://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn/management/management-notes.txt [2] http://alon.barlev.googlepages.com/openvpn-kde-dialogs.pl.bz2 [3] http://www.perlguy.com/articles/nt_service.html [4] http://search.cpan.org/~daveroth/Win32-Scheduler_v20000702/lib/Win32/Scheduler.PM |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-18 15:03:18 |
Hello, I update the kde script [1] to handle these new commands. It presents the user with friendly a list of certificates. With some customization this can also be modified to execute customized non interactive authentication. Peter, I don't understand how you currently specify the passphrase for the token, and how you handle token remove and insert. Do you require the user to insert the token before boot and never remove it? What happens if user remove his token, should he reboot? I believe that using the management interface for automation is easy. Alon. [1] http://alon.barlev.googlepages.com/openvpn-kde-dialogs.pl.bz2 On 3/18/08, Alon Bar-Lev <alo...@gm...> wrote: > Hello, > > In your case I thought using a simple perl script installed using > servany, this script can provide the certificate and passphrase > automation during computer startup. > > A sample perl scripts are available at [1]. > > Anyway... The proper solution for Windows login is to write a RAS provider > that interact with winlogon, just like Microsoft VPN. This will enable > user to connect to the VPN with user interaction before login. This RAS > provider will be able to interact with OpenVPN view the management interface. > > Alon. > > [1] http://alon.barlev.googlepages.com/openvpn-pkcs11 > > > On 3/18/08, Peter Koch <pk...@op...> wrote: > > Hi all, > > > > If future version of OpenVPN will not be able to > > automatically select a certificate without > > user interaction we will have major problems > > with out home-offices. > > > > The reason is that our user uses an OpenVPN > > tunnel to log into our samba domain. Hence > > we MUST run OpenVPN as a service and MUST > > create a connection during windows startup. > > > > I cannot image how OpenVPN could ask the > > user which certificate to use if the user > > has not logged on. During startup Windows > > will not show the regular desktop but the > > logon desktop. And no process besides the > > windows logon itself is allowed to display > > anything on the logon desktop. > > > > So please include a configuration option > > that will tell OpenVPN to use the first > > certificate it finds with no user interaction. > > This would help us a lot. And since our > > smartcards have one certificate only it does > > not make much sense to ask which one to > > use anyway :-) > > > > Peter > > _______________________________________________________________________ > > Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 30 Tage > > kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220 > > > > > |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-18 06:13:37 |
Hello, In your case I thought using a simple perl script installed using servany, this script can provide the certificate and passphrase automation during computer startup. A sample perl scripts are available at [1]. Anyway... The proper solution for Windows login is to write a RAS provider that interact with winlogon, just like Microsoft VPN. This will enable user to connect to the VPN with user interaction before login. This RAS provider will be able to interact with OpenVPN view the management interface. Alon. [1] http://alon.barlev.googlepages.com/openvpn-pkcs11 On 3/18/08, Peter Koch <pk...@op...> wrote: > Hi all, > > If future version of OpenVPN will not be able to > automatically select a certificate without > user interaction we will have major problems > with out home-offices. > > The reason is that our user uses an OpenVPN > tunnel to log into our samba domain. Hence > we MUST run OpenVPN as a service and MUST > create a connection during windows startup. > > I cannot image how OpenVPN could ask the > user which certificate to use if the user > has not logged on. During startup Windows > will not show the regular desktop but the > logon desktop. And no process besides the > windows logon itself is allowed to display > anything on the logon desktop. > > So please include a configuration option > that will tell OpenVPN to use the first > certificate it finds with no user interaction. > This would help us a lot. And since our > smartcards have one certificate only it does > not make much sense to ask which one to > use anyway :-) > > Peter > _______________________________________________________________________ > Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 30 Tage > kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220 > > |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-17 13:22:25 |
On 3/17/08, Christophe Vandeplas <chr...@va...> wrote: > I'll have a deeper look at your management patch, maybe I can find a > way to add the pkcs11-match principle in your code with almost no > extra complexity and redundant code. > Do you think it's worth the effort? Or better wait for the results and > feedback from the management part? I think that what is missing for Windows user is a good OpenVPN GUI. A simple tray icon with context menu that enable the user to connect/disconnect/authenticate/select certificate/prompt for ok Many Windows users expects this for a long time... And I know that implementing such using .NET framework is easy... Some forms, socket and state machine. This OpenVPN GUI can be extensible so it may call a plugin before user interaction so sysadmins can configure some of its behavior. I think that if you wish to invest some efforts for Windows, I think this is the place :) Alon. |
| From: Christophe V. <chr...@va...> - 2008-03-17 13:15:00 |
On 3/17/08, Alon Bar-Lev <alo...@gm...> wrote: > On 3/17/08, Christophe Vandeplas <chr...@va...> wrote: > > > So back to my original idea... Use the management interface to prompt > > > the user to select a certificate. > > > > > > What does that mean for the end-user? If I understand it correctly the > > user will need to do the following: > > - start tunnel/openvpn > > - open webbrowser and select certificate > > - enter key (where? webinterface?, cli?) > > > No no no... The OpenVPN GUI should handle all this... Prompt the user > with a list of certificates for him to choose. > The OpenVPN GUI may also be improved to execute some helper script to > filter out the list. Looks I misunderstood the management interface. I always understood it was the web-management... What you are referring to looks great !! > > The thing is that some implementations of middleware (the Belgian eID > > middleware, based on opensc) prompts the user with a GUI windows for > > entering the password. (at least on MS Windows, not on my mac). > > This window is started from the opensc layer and thus independent of > > the layer above (openvpn). (please correct me if I'm wrong) > > I believe you are wrong and referring to the CSP alternative. PKCS#11 > provider should not issue UI. I should take a deeper look in the sources of the belgian middleware to confirm this theory... > > Isn't it also a possibility to include both ways? If yes I think we > > should rewrite it a little to prevent duplicate code as much as > > possible... > > > I don't understand why the management interface solution is not sufficient. Just a misunderstanding from my side with the certificate selector/management and a web-interface... Having such a management (gui,cli) is a great idea. A question might be: Is there need for a system like the patch I wrote, knowing your management patch should be included? Here's my likes-dislikes (like I understand it): pkcs11-match: - more code + transparent thingie for the end-user, no need to understand concepts of certificates pkcs11-magement: + user has choice of cert - user has choice of cert I'll have a deeper look at your management patch, maybe I can find a way to add the pkcs11-match principle in your code with almost no extra complexity and redundant code. Do you think it's worth the effort? Or better wait for the results and feedback from the management part? Thanks for your interest and input ! Christophe |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-17 12:53:50 |
On 3/17/08, Christophe Vandeplas <chr...@va...> wrote: > > So back to my original idea... Use the management interface to prompt > > the user to select a certificate. > > > What does that mean for the end-user? If I understand it correctly the > user will need to do the following: > - start tunnel/openvpn > - open webbrowser and select certificate > - enter key (where? webinterface?, cli?) No no no... The OpenVPN GUI should handle all this... Prompt the user with a list of certificates for him to choose. The OpenVPN GUI may also be improved to execute some helper script to filter out the list. BTW: When I write OpenVPN GUI, I refer to any UI that uses the management interface to control OpenVPN. A simple .NET application may be written to do so in little effort. > The thing is that some implementations of middleware (the Belgian eID > middleware, based on opensc) prompts the user with a GUI windows for > entering the password. (at least on MS Windows, not on my mac). > This window is started from the opensc layer and thus independent of > the layer above (openvpn). (please correct me if I'm wrong) I believe you are wrong and referring to the CSP alternative. PKCS#11 provider should not issue UI. > With this situation it really becomes to complex for the end-user: > - start tunnel (place 1) > - open browser select certificate (place2) > - enter passwd in separate window (place 3) > The user has 3 different locations where input is needed. No... Start a tunnel using the OpenVPN GUI. The OpenVPN GUI will prompt the user to select a certificate (If have more than one... maybe it will preselect it). The OpenVPN GUI will prompt for passphrase. > With my proposed patch, the user has only two different things to do. > - start tunnel > - enter key in cli or GUI window > There are no complex certificate selections, as most of the users > don't even understand what they are. Isn't it the sys/net-admin that > should configure that pkcs11-id or pkcs11-match string? If you take Microsoft certificate store for example. Internet explorer will prompt the user to select correct certificate when required. Just like in the proposed scenario. > I plan to work on v2 of my patch to enable the 'match' on either the > DN or the serialised-id. This way it becomes even more flexible and > powerful. > But well, except if there is no hope of seeing this patch in the main > trunk in the future ... I believe that adding more complexity into the OpenVPN daemon is not correct approach. For this reason we have the management interface, that enable to deligate user interaction into separate solution. > What do you think? > > Isn't it also a possibility to include both ways? If yes I think we > should rewrite it a little to prevent duplicate code as much as > possible... I don't understand why the management interface solution is not sufficient. Alon. |
| From: Christophe V. <chr...@va...> - 2008-03-17 08:02:28 |
> So back to my original idea... Use the management interface to prompt > the user to select a certificate. What does that mean for the end-user? If I understand it correctly the user will need to do the following: - start tunnel/openvpn - open webbrowser and select certificate - enter key (where? webinterface?, cli?) The thing is that some implementations of middleware (the Belgian eID middleware, based on opensc) prompts the user with a GUI windows for entering the password. (at least on MS Windows, not on my mac). This window is started from the opensc layer and thus independent of the layer above (openvpn). (please correct me if I'm wrong) With this situation it really becomes to complex for the end-user: - start tunnel (place 1) - open browser select certificate (place2) - enter passwd in separate window (place 3) The user has 3 different locations where input is needed. With my proposed patch, the user has only two different things to do. - start tunnel - enter key in cli or GUI window There are no complex certificate selections, as most of the users don't even understand what they are. Isn't it the sys/net-admin that should configure that pkcs11-id or pkcs11-match string? I liked the principle of the cryptoapicert hook in windows where the admin enters a part of the string to match. (Unfortunately I can't get it working on that Windows machine.. weird SSL issue.. but that's something for another mail ) I plan to work on v2 of my patch to enable the 'match' on either the DN or the serialised-id. This way it becomes even more flexible and powerful. But well, except if there is no hope of seeing this patch in the main trunk in the future ... What do you think? Isn't it also a possibility to include both ways? If yes I think we should rewrite it a little to prevent duplicate code as much as possible... Cheers Christophe |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-16 18:05:17 |
Hello, I did not realize how many people depend on the low-level PKCS#11 properties. I thought I prospone this to next OpenVPN version, but I see more an more people need "single configuration file" option. I first thought to create a filter similar to what you suggest... But users would like to choose certificate based on certificate authority, EKU, UPN or any other field, and OpenVPN is already complex enough. Then I thought I would execute some external hook, but OpenVPN does not have the ability to send large amount of data to hooks, and receive data from hooks. So back to my original idea... Use the management interface to prompt the user to select a certificate. You may find it at [1]. It introduces pkcs11-id-management configuration option and NEED-STR real-time management message, that is responded with the PKCS#11 identity. It also introduced two management commands: pkcs11-id-count, pkcs11-id-get. The sequence is as follows: >NEED-STR:Need 'pkcs11-id-request' string MSG:Please specify PKCS#11 id to use pkcs11-id-count >PKCS11ID-COUNT:5 pkcs11-id-get 0 >PKCS11ID-ENTRY:'0', ID:'<snip>', BLOB:'<snip>' pkcs11-id-get 1 >PKCS11ID-ENTRY:'1', ID:'<snip>', BLOB:'<snip>' needstr 'pkcs11-id-request' '<snip>' This allows a management application to inspect available certificates, and prompt the user to choose the correct one. James, some notes: 1. Please acknowledge the NEED-STR addition. it is in the first revision. 2. I had to increase the USER_PASS_LEN constant, as it is also used for strings now. 3. I had to increase the ERR_BUF_SIZE constant, as I need to output a complete base64 certificate. I hope this helps, Alon Bar-Lev. [1] svn diff -r 2844:2849 http://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn On 3/16/08, Christophe Vandeplas <chr...@va...> wrote: > Hi all, > > > From the mailinglist I'm not the first one that wanted dynamic key-id > detection for pkcs11 authentication. |
| From: Christophe V. <chr...@va...> - 2008-03-16 16:30:58 |
Hi all, From the mailinglist I'm not the first one that wanted dynamic key-id detection for pkcs11 authentication. I first started to write a script, but it had to be platform independent. Working on two scripts (bash and vbs) was stupid as they really became to big and created extra security risks. That's why I started to work on this patch. (see attach) In short this is what I do: - New pkcs11-match variable in the openvpn.conf. This is the substring of the key-id you want to match. It works with a 'first match wins' principle. - options.c => I add the variable and the checks, as it's either pkcs11-id or pkcs11-match - ssl.c => if pkcs11_match is set, do the checks and give error if necessary. Store the key-id in options->pkcs11_id. I had to do some black magic here. options->pkcs11_id is defined as const. So I had to un-const this variable to be able to change its value. This is just a compiler-bypass but a long-term solution should be sought by changing some parts of the design of the const-ness of some variables. I think this is something _you_ should decide. - pkcs11.c => I copy-pasted some code of the find-pkcs11-ids(), refactored it and added a check for the substring. First I wanted to add a regex-check, but then I had to depend on new libs and that's probably something you do not want. The behavior is the same as the cryptoapicert variable for windows. (where also a substring is needed). I did my best to try to prevent memory leaks, but please double check that. Worst case only a few bytes should be lost, but hey better check :-) Thanks for considering including this patch. I (and probably other people) _need_ this functionality to make openVPN more userfriendly. The computer/config will not be locked to the smartcard. This enables people to: - deploy the same configuration on different computers - log-in to the tunnel with different cards on the same machine. (different users that share the same computer) - With eID's (what I use) the key-id contains similar characteristics. (like mine where 'BELPIC\x20\x28Basic\x20PIN\x29/02' is the end of the Authentication key. Axalto/Belgium\x20eID/6CFF2491AB111E14/BELPIC\x20\x28Basic\x20PIN\x29/02 ) All input on the patch is welcome. Thanks Christophe PS: It's for my OpenVPN-plans with the eID... <http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid> <http://christophe.vandeplas.com/2008/02/08/database-authorization-openvpn-eid> -- mailto:chr...@va... http://christophe.vandeplas.com |
| From: Mirek Z. <za...@ne...> - 2008-03-13 14:53:49 |
I'm sending NTLMv2 patch again. I hope that everything is correct now :-) Again thanks to Alon for his feedback. Miroslav Zajic NextSoft s.r.o. P.S. I moved int64 macros to ntlm.c. I left them unchanged, becouse they could be useful in future. diff -Naur openvpn-2.1/ntlm.c openvpn-NTLMv2-predelane-2.1/ntlm.c --- openvpn-2.1/ntlm.c 2008-01-13 21:25:52.915264000 +0100 +++ openvpn-NTLMv2-predelane-2.1/ntlm.c 2008-03-13 15:29:31.109375000 +0100 @@ -3,6 +3,8 @@ * * Copyright (C) 2004 William Preston * + * *NTLMv2 support and domain name parsing by Miroslav Zajic, NextSoft s.r.o.* + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or @@ -41,6 +43,21 @@ #include "memdbg.h" + +/* 64bit datatype macros */ +#ifdef _MSC_VER + /* MS compilers */ +# define UINTEGER64 __int64 +# define UINT64(c) c ## Ui64 +#else + /* Non MS compilers */ +# define UINTEGER64 unsigned long long +# define UINT64(c) c ## LL +#endif + + + + static void create_des_keys(const unsigned char *hash, unsigned char *key) { @@ -70,6 +87,61 @@ memcpy (result, md, 16); } +static void +gen_hmac_md5 (const char* data, int data_len, const char* key, int key_len,char *result) +{ + unsigned int len; + + HMAC_CTX c; + HMAC_Init (&c, key, key_len, EVP_md5()); + HMAC_Update (&c, data, data_len); + HMAC_Final (&c, result, &len); + HMAC_CTX_cleanup(&c); +} + +static void +gen_timestamp (unsigned char *timestamp) +{ + /* Copies 8 bytes long timestamp into "timestamp" buffer. + * Timestamp is Little-endian, 64-bit signed value representing the number of tenths of a microsecond since January 1, 1601. + */ + + UINTEGER64 timestamp_ull; + + timestamp_ull = openvpn_time(NULL); + timestamp_ull = (timestamp_ull + UINT64(11644473600)) * UINT64(10000000); + + /* store little endian value */ + timestamp[0]= timestamp_ull & UINT64(0xFF); + timestamp[1]= (timestamp_ull >> 8) & UINT64(0xFF); + timestamp[2]= (timestamp_ull >> 16) & UINT64(0xFF); + timestamp[3]= (timestamp_ull >> 24) & UINT64(0xFF); + timestamp[4]= (timestamp_ull >> 32) & UINT64(0xFF); + timestamp[5]= (timestamp_ull >> 40) & UINT64(0xFF); + timestamp[6]= (timestamp_ull >> 48) & UINT64(0xFF); + timestamp[7]= (timestamp_ull >> 56) & UINT64(0xFF); +} + +static void +gen_nonce (unsigned char *nonce) +{ + /* Generates 8 random bytes to be used as client nonce */ + int i; + + for(i=0;i<8;i++){ + nonce[i] = (unsigned char)get_random(); + } +} + +unsigned char *my_strupr(unsigned char *str) +{ + /* converts string to uppercase in place */ + unsigned char *tmp = str;; + + do *str = toupper(*str); while (*(++str)); + return tmp; +} + static int unicodize (char *dst, const char *src) { @@ -85,6 +157,18 @@ return i; } +static void +add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos) +{ + /* Adds security buffer data to a message and sets security buffer's offset and length */ + msg_buf[sb_offset] = (unsigned char)length; + msg_buf[sb_offset + 2] = msg_buf[sb_offset]; + msg_buf[sb_offset + 4] = (unsigned char)(*msg_bufpos & 0xff); + msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos >> 8) & 0xff); + memcpy(&msg_buf[*msg_bufpos], data, msg_buf[sb_offset]); + *msg_bufpos += length; +} + const char * ntlm_phase_1 (const struct http_proxy_info *p, struct gc_arena *gc) { @@ -105,23 +189,56 @@ const char * ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc) { + /* NTLM handshake + * + * http://davenport.sourceforge.net/ntlm.html + * + */ + char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */ char buf2[128]; /* decoded reply from proxy */ - char phase3[146]; + unsigned char phase3[464]; char md4_hash[21]; - char challenge[8], response[24]; - int i, ret_val, buflen; + char challenge[8], ntlm_response[24]; + int i, ret_val; des_cblock key1, key2, key3; des_key_schedule sched1, sched2, sched3; - /* try a minimal NTLM handshake - * - * http://davenport.sourceforge.net/ntlm.html - * - */ + char ntlmv2_response[144]; + char userdomain_u[256]; /* for uppercase unicode username and domain */ + char userdomain[128]; /* the same as previous but ascii */ + char ntlmv2_hash[16]; + char ntlmv2_hmacmd5[16]; + char *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ + int ntlmv2_blob_size=0; + int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */ + int len; + + char domain[128]; + char username[128]; + char *separator; + + bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2); + ASSERT (strlen (p->up.username) > 0); ASSERT (strlen (p->up.password) > 0); + + /* username parsing */ + separator = strchr(p->up.username, '\\'); + if (separator == NULL) { + strncpy(username, p->up.username, sizeof(username)-1); + username[sizeof(username)-1]=0; + domain[0]=0; + } else { + strncpy(username, separator+1, sizeof(username)-1); + username[sizeof(username)-1]=0; + len = separator - p->up.username; + if (len > sizeof(domain) - 1) len = sizeof(domain) - 1; + strncpy(domain, p->up.username, len); + domain[len]=0; + } + /* fill 1st 16 bytes with md4 hash, disregard terminating null */ gen_md4_hash (pwbuf, unicodize (pwbuf, p->up.password) - 2, md4_hash); @@ -139,48 +256,95 @@ challenge[i] = buf2[i+24]; } - create_des_keys ((unsigned char *)md4_hash, key1); - des_set_key_unchecked ((des_cblock *)key1, sched1); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)response, sched1, DES_ENCRYPT); - - create_des_keys ((unsigned char *)&(md4_hash[7]), key2); - des_set_key_unchecked ((des_cblock *)key2, sched2); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[8]), sched2, DES_ENCRYPT); - - create_des_keys ((unsigned char *)&(md4_hash[14]), key3); - des_set_key_unchecked ((des_cblock *)key3, sched3); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[16]), sched3, DES_ENCRYPT); - - /* clear reply */ - memset (phase3, 0, sizeof (phase3)); - - strcpy (phase3, "NTLMSSP\0"); - phase3[8] = 3; /* type 3 */ - - buflen = 0x58 + strlen (p->up.username); - if (buflen > (int) sizeof (phase3)) - buflen = sizeof (phase3); - - phase3[0x10] = buflen; /* lm not used */ - phase3[0x20] = buflen; /* default domain (i.e. proxy's domain) */ - phase3[0x30] = buflen; /* no workstation name supplied */ - phase3[0x38] = buflen; /* no session key */ - - phase3[0x14] = 24; /* ntlm response is 24 bytes long */ - phase3[0x16] = phase3[0x14]; - phase3[0x18] = 0x40; /* ntlm offset */ - memcpy (&(phase3[0x40]), response, 24); - - - phase3[0x24] = strlen (p->up.username); /* username in ascii */ - phase3[0x26] = phase3[0x24]; - phase3[0x28] = 0x58; - strncpy (&(phase3[0x58]), p->up.username, sizeof (phase3) - 0x58); - + if (ntlmv2_enabled){ /* Generate NTLMv2 response */ + + /* NTLMv2 hash */ + my_strupr(strcpy(userdomain, username)); + if (strlen(username) + strlen(domain) < sizeof(userdomain)) + strcat(userdomain, domain); + else + msg (M_INFO, "Warning: Username or domain too long"); + unicodize (userdomain_u, userdomain); + gen_hmac_md5(userdomain_u, 2 * strlen(userdomain), md4_hash, 16, ntlmv2_hash); + + /* NTLMv2 Blob */ + memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */ + ntlmv2_blob[0x00]=1; /* Signature */ + ntlmv2_blob[0x01]=1; /* Signature */ + ntlmv2_blob[0x04]=0; /* Reserved */ + gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */ + gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */ + ntlmv2_blob[0x18]=0; /* Unknown, zero should work */ + + /* Add target information block to the blob */ + int tib_len; + if (( *((long *)&buf2[0x14]) & 0x00800000) == 0x00800000){ /* Check for Target Information block */ + tib_len = buf2[0x28];/* Get Target Information block size */ + if (tib_len > 96) tib_len = 96; + char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } else { + tib_len = 0; + } + + ntlmv2_blob[0x1c + tib_len] = 0; /* Unknown, zero works */ + + /* Get blob length */ + ntlmv2_blob_size = 0x20 + tib_len; + + /* Add challenge from message 2 */ + memcpy(&ntlmv2_response[8], challenge, 8); + + /* hmac-md5 */ + gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, 16, ntlmv2_hmacmd5); + + /* Add hmac-md5 result to the blob */ + memcpy(ntlmv2_response, ntlmv2_hmacmd5, 16); /* Note: This overwrites challenge previously written at ntlmv2_response[8..15] */ + + } else { /* Generate NTLM response */ + + create_des_keys ((unsigned char *)md4_hash, key1); + des_set_key_unchecked ((des_cblock *)key1, sched1); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)ntlm_response, sched1, DES_ENCRYPT); + + create_des_keys ((unsigned char *)&(md4_hash[7]), key2); + des_set_key_unchecked ((des_cblock *)key2, sched2); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[8]), sched2, DES_ENCRYPT); + + create_des_keys ((unsigned char *)&(md4_hash[14]), key3); + des_set_key_unchecked ((des_cblock *)key3, sched3); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[16]), sched3, DES_ENCRYPT); + } + + + memset (phase3, 0, sizeof (phase3)); /* clear reply */ + + strcpy (phase3, "NTLMSSP\0"); /* signature */ + phase3[8] = 3; /* type 3 */ + + if (ntlmv2_enabled){ /* NTLMv2 response */ + add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos); + }else{ /* NTLM response */ + add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos); + } + + /* username in ascii */ + add_security_buffer(0x24, username, strlen (username), phase3, &phase3_bufpos); + + /* Set domain. If <domain> is empty, default domain will be used (i.e. proxy's domain) */ + add_security_buffer(0x1c, domain, strlen (domain), phase3, &phase3_bufpos); + + + /* other security buffers will be empty */ + phase3[0x10] = phase3_bufpos; /* lm not used */ + phase3[0x30] = phase3_bufpos; /* no workstation name supplied */ + phase3[0x38] = phase3_bufpos; /* no session key */ + + /* flags */ phase3[0x3c] = 0x02; /* negotiate oem */ phase3[0x3d] = 0x02; /* negotiate ntlm */ - return ((const char *)make_base64_string2 ((unsigned char *)phase3, buflen, gc)); + return ((const char *)make_base64_string2 ((unsigned char *)phase3, phase3_bufpos, gc)); } #else diff -Naur openvpn-2.1/proxy.c openvpn-NTLMv2-predelane-2.1/proxy.c --- openvpn-2.1/proxy.c 2008-01-13 21:25:52.945307200 +0100 +++ openvpn-NTLMv2-predelane-2.1/proxy.c 2008-01-15 11:46:12.737156800 +0100 @@ -294,19 +294,21 @@ p->auth_method = HTTP_AUTH_BASIC; else if (!strcmp (o->auth_method_string, "ntlm")) p->auth_method = HTTP_AUTH_NTLM; + else if (!strcmp (o->auth_method_string, "ntlm2")) + p->auth_method = HTTP_AUTH_NTLM2; else - msg (M_FATAL, "ERROR: unknown HTTP authentication method: '%s' -- only the 'none', 'basic', or 'ntlm' methods are currently supported", + msg (M_FATAL, "ERROR: unknown HTTP authentication method: '%s' -- only the 'none', 'basic', 'ntlm', or 'ntlm2' methods are currently supported", o->auth_method_string); } - /* only basic and NTLM authentication supported so far */ - if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM) + /* only basic and NTLM/NTLMv2 authentication supported so far */ + if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http (p, true); } #if !NTLM - if (p->auth_method == HTTP_AUTH_NTLM) + if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) msg (M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support."); #endif @@ -374,6 +376,12 @@ #if NTLM case HTTP_AUTH_NTLM: + case HTTP_AUTH_NTLM2: + /* keep-alive connection */ + openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); + if (!send_line_crlf (sd, buf)) + goto error; + openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", ntlm_phase_1 (p, &gc)); msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 1"); @@ -411,7 +419,7 @@ msg (D_PROXY, "Proxy requires authentication"); /* check for NTLM */ - if (p->auth_method == HTTP_AUTH_NTLM) + if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { #if NTLM /* look for the phase 2 response */ @@ -456,6 +464,12 @@ if (!send_line_crlf (sd, buf)) goto error; + /* keep-alive connection */ + openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); + if (!send_line_crlf (sd, buf)) + goto error; + + /* send HOST etc, */ openvpn_sleep (1); openvpn_snprintf (buf, sizeof(buf), "Host: %s", host); diff -Naur openvpn-2.1/proxy.h openvpn-NTLMv2-predelane-2.1/proxy.h --- openvpn-2.1/proxy.h 2008-01-13 21:25:52.975350400 +0100 +++ openvpn-NTLMv2-predelane-2.1/proxy.h 2008-01-15 11:25:00.097190400 +0100 @@ -59,6 +59,7 @@ #define HTTP_AUTH_BASIC 1 #define HTTP_AUTH_NTLM 2 #define HTTP_AUTH_N 3 +#define HTTP_AUTH_NTLM2 4 struct http_proxy_options { const char *server; |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-13 13:45:28 |
On 3/12/08, Mirek Zajic <za...@ne...> wrote: > > Just noticed that openvpn has: openvpn_gettimeofday() which works also > > for WIN32... Maybe use this one? > > > > > > openvpn_time works fine, why to change? I remember you used gettimeofday in previous versions... I missed the openvpn_gettimeofday() availability... Maybe the protocol do require more precise timing... I truly don't know. > > >> + msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos & 0xff00) >> 8); > >> > > > > always & such with 0xff. > > > > Please explain, I don't understand msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos >> 8) & 0xff); > Some Microsoft compilers doesn't support long long, but they support > __int64. The same is with LL/Ui64 postfix. I think that this is correct. > But I'm not sure about the location. Maybe that it should be placed in > some common header (common.h?) for further usage by other modules. This is James call... But currently OpenVPN cannot be compiled on these compilers anyway... So adding these macros is not required. Anyway... This is about as far as I can help. Alon. |
| From: Mirek Z. <za...@ne...> - 2008-03-12 15:39:03 |
Thans for your comments. There are some things that have to be explained before I'll make the changes, please read bellow. Alon Bar-Lev napsal(a): > On 3/12/08, Mirek Zajic <za...@ne...> wrote: > >> Hello, >> I have finally made some changes to the NTLMv2 patch according to Alon's >> comments. Now it should also be architecture independent. >> >> Miroslav Zajic >> NextSoft s.r.o. >> > > Hi! > Great! > Some more comments... :) > > >> + timestamp_ull = openvpn_time(NULL); >> + timestamp_ull = (timestamp_ull + UINT64(11644473600)) * >> UINT64(10000000); >> > > Just noticed that openvpn has: openvpn_gettimeofday() which works also > for WIN32... Maybe use this one? > > openvpn_time works fine, why to change? >> + msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos & 0xff00) >> 8); >> > > always & such with 0xff. > Please explain, I don't understand > >> diff -Naur openvpn-2.1/ntlm.h openvpn-NTLMv2-predelane-2.1/ntlm.h >> --- openvpn-2.1/ntlm.h 2008-01-13 21:25:52.935292800 +0100 >> +++ openvpn-NTLMv2-predelane-2.1/ntlm.h 2008-03-12 11:35:36.296875000 >> +0100 >> @@ -3,6 +3,18 @@ >> >> #if NTLM >> >> +/* 64bit datatype macros */ >> +#ifdef _MSC_VER >> + /* MS compilers */ >> +#define UINTEGER64 __int64 >> +#define UINT64(c) c ## Ui64 >> +#else >> + /* Non MS compilers */ >> +#define UINTEGER64 unsigned long long >> +#define UINT64(c) c ## LL >> +#endif >> + >> >> > > Why not use long long for both platforms, it is already used in common.h... > Also you can use ull suffix for both platforms. > > Anyway... this belongs to the .c file, it is not used by any other files. > But I don't think it is required at all. > > Alon. > Some Microsoft compilers doesn't support long long, but they support __int64. The same is with LL/Ui64 postfix. I think that this is correct. But I'm not sure about the location. Maybe that it should be placed in some common header (common.h?) for further usage by other modules. Thanks Miroslav Zajic NextSoft s.r.o. |
| From: Alon Bar-L. <alo...@gm...> - 2008-03-12 15:02:14 |
On 3/12/08, Mirek Zajic <za...@ne...> wrote: > Hello, > I have finally made some changes to the NTLMv2 patch according to Alon's > comments. Now it should also be architecture independent. > > Miroslav Zajic > NextSoft s.r.o. Hi! Great! Some more comments... :) > + timestamp_ull = openvpn_time(NULL); > + timestamp_ull = (timestamp_ull + UINT64(11644473600)) * > UINT64(10000000); Just noticed that openvpn has: openvpn_gettimeofday() which works also for WIN32... Maybe use this one? > + msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos & 0xff00) >> 8); always & such with 0xff. > diff -Naur openvpn-2.1/ntlm.h openvpn-NTLMv2-predelane-2.1/ntlm.h > --- openvpn-2.1/ntlm.h 2008-01-13 21:25:52.935292800 +0100 > +++ openvpn-NTLMv2-predelane-2.1/ntlm.h 2008-03-12 11:35:36.296875000 > +0100 > @@ -3,6 +3,18 @@ > > #if NTLM > > +/* 64bit datatype macros */ > +#ifdef _MSC_VER > + /* MS compilers */ > +#define UINTEGER64 __int64 > +#define UINT64(c) c ## Ui64 > +#else > + /* Non MS compilers */ > +#define UINTEGER64 unsigned long long > +#define UINT64(c) c ## LL > +#endif > + > Why not use long long for both platforms, it is already used in common.h... Also you can use ull suffix for both platforms. Anyway... this belongs to the .c file, it is not used by any other files. But I don't think it is required at all. Alon. |
| From: Mirek Z. <za...@ne...> - 2008-03-12 12:25:53 |
Hello, I have finally made some changes to the NTLMv2 patch according to Alon's comments. Now it should also be architecture independent. Miroslav Zajic NextSoft s.r.o. diff -Naur openvpn-2.1/ntlm.c openvpn-NTLMv2-predelane-2.1/ntlm.c --- openvpn-2.1/ntlm.c 2008-01-13 21:25:52.915264000 +0100 +++ openvpn-NTLMv2-predelane-2.1/ntlm.c 2008-03-12 11:36:40.687500000 +0100 @@ -3,6 +3,8 @@ * * Copyright (C) 2004 William Preston * + * *NTLMv2 support and domain name parsing by Miroslav Zajic, Nextsoft s.r.o.* + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or @@ -70,6 +72,61 @@ memcpy (result, md, 16); } +static void +gen_hmac_md5 (const char* data, int data_len, const char* key, int key_len,char *result) +{ + unsigned int len; + + HMAC_CTX c; + HMAC_Init (&c, key, key_len, EVP_md5()); + HMAC_Update (&c, data, data_len); + HMAC_Final (&c, result, &len); + HMAC_CTX_cleanup(&c); +} + +static void +gen_timestamp (unsigned char *timestamp) +{ + /* Copies 8 bytes long timestamp into "timestamp" buffer. + * Timestamp is Little-endian, 64-bit signed value representing the number of tenths of a microsecond since January 1, 1601. + */ + + UINTEGER64 timestamp_ull; + + timestamp_ull = openvpn_time(NULL); + timestamp_ull = (timestamp_ull + UINT64(11644473600)) * UINT64(10000000); + + /* store little endian value */ + timestamp[0]= timestamp_ull & UINT64(0xFF); + timestamp[1]= (timestamp_ull & UINT64(0xFF00)) >> 8; + timestamp[2]= (timestamp_ull & UINT64(0xFF0000)) >> 16; + timestamp[3]= (timestamp_ull & UINT64(0xFF000000)) >> 24; + timestamp[4]= (timestamp_ull & UINT64(0xFF00000000)) >> 32; + timestamp[5]= (timestamp_ull & UINT64(0xFF0000000000)) >> 40; + timestamp[6]= (timestamp_ull & UINT64(0xFF000000000000)) >> 48; + timestamp[7]= (timestamp_ull & UINT64(0xFF00000000000000)) >> 52; +} + +static void +gen_nonce (unsigned char *nonce) +{ + /* Generates 8 random bytes to be used as client nonce */ + int i; + + for(i=0;i<8;i++){ + nonce[i] = (unsigned char)get_random(); + } +} + +unsigned char *my_strupr(unsigned char *str) +{ + /* converts string to uppercase in place */ + unsigned char *tmp = str;; + + do *str = toupper(*str); while (*(++str)); + return tmp; +} + static int unicodize (char *dst, const char *src) { @@ -85,6 +142,18 @@ return i; } +static void +add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos) +{ + /* Adds security buffer data to a message and sets security buffer's offset and length */ + msg_buf[sb_offset] = (unsigned char)length; + msg_buf[sb_offset + 2] = msg_buf[sb_offset]; + msg_buf[sb_offset + 4] = (unsigned char)(*msg_bufpos & 0xff); + msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos & 0xff00) >> 8); + memcpy(&msg_buf[*msg_bufpos], data, msg_buf[sb_offset]); + *msg_bufpos += length; +} + const char * ntlm_phase_1 (const struct http_proxy_info *p, struct gc_arena *gc) { @@ -105,23 +174,56 @@ const char * ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc) { + /* NTLM handshake + * + * http://davenport.sourceforge.net/ntlm.html + * + */ + char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */ char buf2[128]; /* decoded reply from proxy */ - char phase3[146]; + unsigned char phase3[464]; char md4_hash[21]; - char challenge[8], response[24]; - int i, ret_val, buflen; + char challenge[8], ntlm_response[24]; + int i, ret_val; des_cblock key1, key2, key3; des_key_schedule sched1, sched2, sched3; - /* try a minimal NTLM handshake - * - * http://davenport.sourceforge.net/ntlm.html - * - */ + char ntlmv2_response[144]; + char userdomain_u[256]; /* for uppercase unicode username and domain */ + char userdomain[128]; /* the same as previous but ascii */ + char ntlmv2_hash[16]; + char ntlmv2_hmacmd5[16]; + char *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */ + int ntlmv2_blob_size=0; + int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */ + int len; + + char domain[128]; + char username[128]; + char *separator; + + bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2); + ASSERT (strlen (p->up.username) > 0); ASSERT (strlen (p->up.password) > 0); + + /* username parsing */ + separator = strchr(p->up.username, '\\'); + if (separator == NULL) { + strncpy(username, p->up.username, sizeof(username)-1); + username[sizeof(username)-1]=0; + domain[0]=0; + } else { + strncpy(username, separator+1, sizeof(username)-1); + username[sizeof(username)-1]=0; + len = separator - p->up.username; + if (len > sizeof(domain) - 1) len = sizeof(domain) - 1; + strncpy(domain, p->up.username, len); + domain[len]=0; + } + /* fill 1st 16 bytes with md4 hash, disregard terminating null */ gen_md4_hash (pwbuf, unicodize (pwbuf, p->up.password) - 2, md4_hash); @@ -139,48 +241,95 @@ challenge[i] = buf2[i+24]; } - create_des_keys ((unsigned char *)md4_hash, key1); - des_set_key_unchecked ((des_cblock *)key1, sched1); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)response, sched1, DES_ENCRYPT); - - create_des_keys ((unsigned char *)&(md4_hash[7]), key2); - des_set_key_unchecked ((des_cblock *)key2, sched2); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[8]), sched2, DES_ENCRYPT); - - create_des_keys ((unsigned char *)&(md4_hash[14]), key3); - des_set_key_unchecked ((des_cblock *)key3, sched3); - des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[16]), sched3, DES_ENCRYPT); - - /* clear reply */ - memset (phase3, 0, sizeof (phase3)); - - strcpy (phase3, "NTLMSSP\0"); - phase3[8] = 3; /* type 3 */ - - buflen = 0x58 + strlen (p->up.username); - if (buflen > (int) sizeof (phase3)) - buflen = sizeof (phase3); - - phase3[0x10] = buflen; /* lm not used */ - phase3[0x20] = buflen; /* default domain (i.e. proxy's domain) */ - phase3[0x30] = buflen; /* no workstation name supplied */ - phase3[0x38] = buflen; /* no session key */ - - phase3[0x14] = 24; /* ntlm response is 24 bytes long */ - phase3[0x16] = phase3[0x14]; - phase3[0x18] = 0x40; /* ntlm offset */ - memcpy (&(phase3[0x40]), response, 24); - - - phase3[0x24] = strlen (p->up.username); /* username in ascii */ - phase3[0x26] = phase3[0x24]; - phase3[0x28] = 0x58; - strncpy (&(phase3[0x58]), p->up.username, sizeof (phase3) - 0x58); - + if (ntlmv2_enabled){ /* Generate NTLMv2 response */ + + /* NTLMv2 hash */ + my_strupr(strcpy(userdomain, username)); + if (strlen(username) + strlen(domain) < sizeof(userdomain)) + strcat(userdomain, domain); + else + msg (M_INFO, "Warning: Username or domain too long"); + unicodize (userdomain_u, userdomain); + gen_hmac_md5(userdomain_u, 2 * strlen(userdomain), md4_hash, 16, ntlmv2_hash); + + /* NTLMv2 Blob */ + memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */ + ntlmv2_blob[0x00]=1; /* Signature */ + ntlmv2_blob[0x01]=1; /* Signature */ + ntlmv2_blob[0x04]=0; /* Reserved */ + gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */ + gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */ + ntlmv2_blob[0x18]=0; /* Unknown, zero should work */ + + /* Add target information block to the blob */ + int tib_len; + if (( *((long *)&buf2[0x14]) & 0x00800000) == 0x00800000){ /* Check for Target Information block */ + tib_len = buf2[0x28];/* Get Target Information block size */ + if (tib_len > 96) tib_len = 96; + char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } else { + tib_len = 0; + } + + ntlmv2_blob[0x1c + tib_len] = 0; /* Unknown, zero works */ + + /* Get blob length */ + ntlmv2_blob_size = 0x20 + tib_len; + + /* Add challenge from message 2 */ + memcpy(&ntlmv2_response[8], challenge, 8); + + /* hmac-md5 */ + gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, 16, ntlmv2_hmacmd5); + + /* Add hmac-md5 result to the blob */ + memcpy(ntlmv2_response, ntlmv2_hmacmd5, 16); /* Note: This overwrites challenge previously written at ntlmv2_response[8..15] */ + + } else { /* Generate NTLM response */ + + create_des_keys ((unsigned char *)md4_hash, key1); + des_set_key_unchecked ((des_cblock *)key1, sched1); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)ntlm_response, sched1, DES_ENCRYPT); + + create_des_keys ((unsigned char *)&(md4_hash[7]), key2); + des_set_key_unchecked ((des_cblock *)key2, sched2); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[8]), sched2, DES_ENCRYPT); + + create_des_keys ((unsigned char *)&(md4_hash[14]), key3); + des_set_key_unchecked ((des_cblock *)key3, sched3); + des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[16]), sched3, DES_ENCRYPT); + } + + + memset (phase3, 0, sizeof (phase3)); /* clear reply */ + + strcpy (phase3, "NTLMSSP\0"); /* signature */ + phase3[8] = 3; /* type 3 */ + + if (ntlmv2_enabled){ /* NTLMv2 response */ + add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos); + }else{ /* NTLM response */ + add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos); + } + + /* username in ascii */ + add_security_buffer(0x24, username, strlen (username), phase3, &phase3_bufpos); + + /* Set domain. If <domain> is empty, default domain will be used (i.e. proxy's domain) */ + add_security_buffer(0x1c, domain, strlen (domain), phase3, &phase3_bufpos); + + + /* other security buffers will be empty */ + phase3[0x10] = phase3_bufpos; /* lm not used */ + phase3[0x30] = phase3_bufpos; /* no workstation name supplied */ + phase3[0x38] = phase3_bufpos; /* no session key */ + + /* flags */ phase3[0x3c] = 0x02; /* negotiate oem */ phase3[0x3d] = 0x02; /* negotiate ntlm */ - return ((const char *)make_base64_string2 ((unsigned char *)phase3, buflen, gc)); + return ((const char *)make_base64_string2 ((unsigned char *)phase3, phase3_bufpos, gc)); } #else diff -Naur openvpn-2.1/ntlm.h openvpn-NTLMv2-predelane-2.1/ntlm.h --- openvpn-2.1/ntlm.h 2008-01-13 21:25:52.935292800 +0100 +++ openvpn-NTLMv2-predelane-2.1/ntlm.h 2008-03-12 11:35:36.296875000 +0100 @@ -3,6 +3,18 @@ #if NTLM +/* 64bit datatype macros */ +#ifdef _MSC_VER + /* MS compilers */ +#define UINTEGER64 __int64 +#define UINT64(c) c ## Ui64 +#else + /* Non MS compilers */ +#define UINTEGER64 unsigned long long +#define UINT64(c) c ## LL +#endif + + const char *ntlm_phase_1 (const struct http_proxy_info *p, struct gc_arena *gc); const char *ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc); diff -Naur openvpn-2.1/proxy.c openvpn-NTLMv2-predelane-2.1/proxy.c --- openvpn-2.1/proxy.c 2008-01-13 21:25:52.945307200 +0100 +++ openvpn-NTLMv2-predelane-2.1/proxy.c 2008-01-15 11:46:12.737156800 +0100 @@ -294,19 +294,21 @@ p->auth_method = HTTP_AUTH_BASIC; else if (!strcmp (o->auth_method_string, "ntlm")) p->auth_method = HTTP_AUTH_NTLM; + else if (!strcmp (o->auth_method_string, "ntlm2")) + p->auth_method = HTTP_AUTH_NTLM2; else - msg (M_FATAL, "ERROR: unknown HTTP authentication method: '%s' -- only the 'none', 'basic', or 'ntlm' methods are currently supported", + msg (M_FATAL, "ERROR: unknown HTTP authentication method: '%s' -- only the 'none', 'basic', 'ntlm', or 'ntlm2' methods are currently supported", o->auth_method_string); } - /* only basic and NTLM authentication supported so far */ - if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM) + /* only basic and NTLM/NTLMv2 authentication supported so far */ + if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http (p, true); } #if !NTLM - if (p->auth_method == HTTP_AUTH_NTLM) + if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) msg (M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support."); #endif @@ -374,6 +376,12 @@ #if NTLM case HTTP_AUTH_NTLM: + case HTTP_AUTH_NTLM2: + /* keep-alive connection */ + openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); + if (!send_line_crlf (sd, buf)) + goto error; + openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", ntlm_phase_1 (p, &gc)); msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 1"); @@ -411,7 +419,7 @@ msg (D_PROXY, "Proxy requires authentication"); /* check for NTLM */ - if (p->auth_method == HTTP_AUTH_NTLM) + if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) { #if NTLM /* look for the phase 2 response */ @@ -456,6 +464,12 @@ if (!send_line_crlf (sd, buf)) goto error; + /* keep-alive connection */ + openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive"); + if (!send_line_crlf (sd, buf)) + goto error; + + /* send HOST etc, */ openvpn_sleep (1); openvpn_snprintf (buf, sizeof(buf), "Host: %s", host); diff -Naur openvpn-2.1/proxy.h openvpn-NTLMv2-predelane-2.1/proxy.h --- openvpn-2.1/proxy.h 2008-01-13 21:25:52.975350400 +0100 +++ openvpn-NTLMv2-predelane-2.1/proxy.h 2008-01-15 11:25:00.097190400 +0100 @@ -59,6 +59,7 @@ #define HTTP_AUTH_BASIC 1 #define HTTP_AUTH_NTLM 2 #define HTTP_AUTH_N 3 +#define HTTP_AUTH_NTLM2 4 struct http_proxy_options { const char *server; |
| From: Friedrich N. <ler...@ho...> - 2008-03-11 11:24:07 |
Hi I get compile errors with the current RC, is this intended? why cant I compile it? _________________________________________________________________ Mörkt och kallt? Kanske Barcelona? http://search.live.com/results.aspx?q=Barcelona+reseguide&form=QBRE |
| From: Wenzhuo Z. <we...@zh...> - 2008-03-11 00:33:15 |
Wenzhuo Zhang 写道: >>> 3. If OpenVPN is already running as a service in Windows Vista, the >>> OpenVPN GUI can still connect and break routing unexpectedly. IMHO, >>> OpenVPN should allow only one instance for one particular connection. >>> >> I'm not sure what you mean by "running as a service". Does this mean >> that you started it up with the UTORvpn icon, connected, and started it >> up again with the UTORvpn icon? >> >> > > By running as a service, I mean starting the OpenVPN service through the > Windows services.msc and setting it to Automatic there. I am talking about client mode here. OpenVPN should allow only one instance for one particular client-mode connection. If one instance is running already, the second instance should abort. Wenzhuo |
| From: Wenzhuo Z. <we...@zh...> - 2008-03-11 00:02:52 |
Matt Wilks 写道: >> 1. The font size in the status window is too small for both XP and >> Vista. See >> http://web.zhmail.com/screenshot/20080309/OpenVPN_StatusWindow.PNG >> > > I wonder if this has something to do with your Chinese fonts. I haven't > seen this on any installations I have made... > All font sentings are factory default in both XP and Vista. This could be an issue for all CJK editions of Windows. >> 2. Uninstaller does not delete start menu shortcuts on Vista. >> > > OK, I'll take a look into this when I can. > > >> 3. If OpenVPN is already running as a service in Windows Vista, the >> OpenVPN GUI can still connect and break routing unexpectedly. IMHO, >> OpenVPN should allow only one instance for one particular connection. >> > > I'm not sure what you mean by "running as a service". Does this mean > that you started it up with the UTORvpn icon, connected, and started it > up again with the UTORvpn icon? > > By running as a service, I mean starting the OpenVPN service through the Windows services.msc and setting it to Automatic there. Wenzhuo |
| From: Wenzhuo Z. <we...@zh...> - 2008-03-10 01:50:10 |
Hi, I have just tried OpenVPN 2.1_rc7 on Windows XP Home (Simplified Chinese Edition) and Windows Vista Basic (Simplified Chinese Edition). I have three minor issues with it: 1. The font size in the status window is too small for both XP and Vista. See http://web.zhmail.com/screenshot/20080309/OpenVPN_StatusWindow.PNG 2. Uninstaller does not delete start menu shortcuts on Vista. 3. If OpenVPN is already running as a service in Windows Vista, the OpenVPN GUI can still connect and break routing unexpectedly. IMHO, OpenVPN should allow only one instance for one particular connection. Wenzhuo |
| From: Wenzhuo Z. <we...@zh...> - 2008-03-09 12:53:48 |
Hi, I have just tried OpenVPN 2.1_rc7 on Windows XP Home (Simplified Chinese Edition) and Windows Vista Basic (Simplified Chinese Edition). I have three minor issues with it: 1. The font size in the status window is too small for both XP and Vista. See http://web.zhmail.com/screenshot/20080309/OpenVPN_StatusWindow.PNG 2. Uninstaller does not delete start menu shortcuts on Vista. 3. If OpenVPN is already running as a service in Windows Vista, the OpenVPN GUI can still connect and break routing unexpectedly. IMHO, OpenVPN should allow only one instance for one particular connection. Wenzhuo |
